46 lines
1.8 KiB
Diff
46 lines
1.8 KiB
Diff
From 08f76e2aa6d7ca35cfb626f20ace1f9036cda3a0 Mon Sep 17 00:00:00 2001
|
|
From: Eric Garver <eric@garver.life>
|
|
Date: Mon, 14 Aug 2023 09:13:29 -0400
|
|
Subject: [PATCH 14/17] v1.2.0: chore(nftables): add delete table helper
|
|
|
|
This is to workaround an nftables issue where using the "delete" verb on
|
|
a table that does not exist will throw ENOENT. We can't use the newer
|
|
"destroy" verb because it's too new to rely upon.
|
|
|
|
A simple hack is to always add the table before deleting it. The "add"
|
|
is ignored if the table already exists.
|
|
|
|
(cherry picked from commit 8be561d26931832f000526cc41293700faa6c877)
|
|
---
|
|
src/firewall/core/nftables.py | 14 ++++++++++++++
|
|
1 file changed, 14 insertions(+)
|
|
|
|
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
|
|
index 2764bcf93645..1959bdce73be 100644
|
|
--- a/src/firewall/core/nftables.py
|
|
+++ b/src/firewall/core/nftables.py
|
|
@@ -396,6 +396,20 @@ class nftables(object):
|
|
# Tables always exist in nftables
|
|
return [table] if table else IPTABLES_TO_NFT_HOOK.keys()
|
|
|
|
+ def _build_delete_table_rules(self, table):
|
|
+ # To avoid nftables returning ENOENT we always add the table before
|
|
+ # deleting to guarantee it will exist.
|
|
+ #
|
|
+ # In the future, this add+delete should be replaced with "destroy", but
|
|
+ # that verb is too new to rely upon.
|
|
+ rules = []
|
|
+ for family in ["inet", "ip", "ip6"]:
|
|
+ rules.append({"add": {"table": {"family": family,
|
|
+ "name": table}}})
|
|
+ rules.append({"delete": {"table": {"family": family,
|
|
+ "name": table}}})
|
|
+ return rules
|
|
+
|
|
def build_flush_rules(self):
|
|
# Policy is stashed in a separate table that we're _not_ going to
|
|
# flush. As such, we retain the policy rule handles and ref counts.
|
|
--
|
|
2.39.3
|
|
|